Return-Path: Delivered-To: apmail-httpd-users-archive@www.apache.org Received: (qmail 11400 invoked from network); 15 Apr 2010 18:25:55 -0000 Received: from unknown (HELO mail.apache.org) (140.211.11.3) by 140.211.11.9 with SMTP; 15 Apr 2010 18:25:55 -0000 Received: (qmail 89389 invoked by uid 500); 15 Apr 2010 18:25:52 -0000 Delivered-To: apmail-httpd-users-archive@httpd.apache.org Received: (qmail 89329 invoked by uid 500); 15 Apr 2010 18:25:52 -0000 Mailing-List: contact users-help@httpd.apache.org; run by ezmlm Precedence: bulk Reply-To: users@httpd.apache.org list-help: list-unsubscribe: List-Post: List-Id: Delivered-To: mailing list users@httpd.apache.org Received: (qmail 89321 invoked by uid 99); 15 Apr 2010 18:25:52 -0000 Received: from athena.apache.org (HELO athena.apache.org) (140.211.11.136) by apache.org (qpsmtpd/0.29) with ESMTP; Thu, 15 Apr 2010 18:25:52 +0000 X-ASF-Spam-Status: No, hits=1.1 required=10.0 tests=AWL,FREEMAIL_FROM,HTML_MESSAGE,SPF_PASS,T_TO_NO_BRKTS_FREEMAIL X-Spam-Check-By: apache.org Received-SPF: pass (athena.apache.org: domain of sergeyfd@gmail.com designates 209.85.160.173 as permitted sender) Received: from [209.85.160.173] (HELO mail-gy0-f173.google.com) (209.85.160.173) by apache.org (qpsmtpd/0.29) with ESMTP; Thu, 15 Apr 2010 18:25:47 +0000 Received: by gyd5 with SMTP id 5so776821gyd.18 for ; Thu, 15 Apr 2010 11:25:26 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:received:in-reply-to:references :date:received:message-id:subject:from:to:content-type; bh=ZHLqWWhxQoZtRuTcXpF/K9fFYs27QO1u7Hb8fbDqts8=; b=hQlN0MSa0dY+6C/bC2dN8DIa+rDK4FeMqwCCN0UAA/QUf43HziFT5TepXRTUc/OAPv y/zxEayKjOFsuzCtvtTjgyDCqw9ALd3xeKIJZAsEBB9ImuE3fwiaAuXQgTvEgw02J3bx 0GTqJ2JBrpHYYrPglT8pECdRgY08fd4jWn+AQ= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :content-type; b=HO+Yz8rf0lNfFsqtZN1g7dR91glfpT5ByZsfBy2wB1Gzm7C7ana8DISNIF7MQsksXc pvFDYgBXW3CYMez6TAk6cIdese80re6AvTedLBKxrksGh1+4UvaO8lqYIZF9MLJET+TO XP9mb1+/6CQUC9A7ivMr5HiutG9UJ5G8oMSkI= MIME-Version: 1.0 Received: by 10.100.229.14 with HTTP; Thu, 15 Apr 2010 11:25:25 -0700 (PDT) In-Reply-To: References: Date: Thu, 15 Apr 2010 12:25:25 -0600 Received: by 10.100.21.9 with SMTP id 9mr757177anu.215.1271355925661; Thu, 15 Apr 2010 11:25:25 -0700 (PDT) Message-ID: From: Serge Dubrouski To: users@httpd.apache.org Content-Type: multipart/alternative; boundary=0016e646921455086e04844a9e4d Subject: Re: [users@httpd] Re-negotiation handshake failed --0016e646921455086e04844a9e4d Content-Type: text/plain; charset=ISO-8859-1 The window would pop-up if you had several certs installed in your browser that could satisfy server's request. Since you have just one cert installed browser sends it by default. On Thu, Apr 15, 2010 at 12:27 PM, wrote: > > After I installed a certificate on my browser (tested on both IE and > Firefox), I was able to access the site with client authentication. I was > expecting my browser to pop up a dialog and ask me for a certificate. > However, it seems like the browser won't do so if I have no certificate > installed on my browser. Anyway, thanks for your help. > > Kenneth Yeung > > > > *Serge Dubrouski * > > 04/15/2010 09:44 AM > Please respond to > users@httpd.apache.org > > To > users@httpd.apache.org > cc > Subject > Re: [users@httpd] Re-negotiation handshake failed > > > > > This message is normal. It says that server expected user certificate > but it wasn't presented by browser. > > On Tue, Apr 13, 2010 at 5:31 PM, wrote: > > > > Greeting! > > > > I'm having a problem on setting up client certificate on my test site on > > Apache 2.2.15/OpenSSL 0.9.8m on Windows XP. I followed the "How-To" > > articles on mod_ssl (http://httpd.apache.org/docs/2.2/ssl/ssl_howto.html > ). > > When I browse the site, I got the following error message in the log: > > > > Re-negotiation handshake failed: Not accepted by client!? > > > > I read through the documentation. I tried to turn > SSLInsecureRenegotiation > > on and off, but no luck. I attached the configuration of my virtual > host, > > hoping that you would point out anything that I've missed. Oh, when I > said > > that the site wasn't working, I was referring to my browser, which > displays > > an error page with the code: ssl_error_handshake_failure_alert, instead > of > > asking me for a certificate. > > > > Thanks, > > > > Kenneth Yeung > > > > > > > > ServerAdmin mysite@mycompany.com > > DocumentRoot "C:/hosts-static/mysite/ROOT" > > ServerName mysite.mycompany.com > > ErrorLog "C:/hosts-static/mysite/log/ROOT-error.log" > > CustomLog "C:/hosts-static/mysite/log/ROOT-access.log" common > > > > SSLEngine on > > SSLCipherSuite HIGH:MEDIUM > > SSLCertificateFile "C:/Apache2.2/conf/ssl.crt/mysite.crt" > > SSLCertificateKeyFile "C:/Apache2.2/conf/ssl.crt/mysite.key" > > > > SSLInsecureRenegotiation on > > > > > > Order deny,allow > > Allow from all > > > > SSLVerifyClient require > > SSLVerifyDepth 1 > > SSLCACertificateFile > "C:/Apache2.2/conf/ssl.crt/self_signed_ca.crt" > > > > > > > > > > > > -- > Serge Dubrouski. > > --------------------------------------------------------------------- > The official User-To-User support forum of the Apache HTTP Server Project. > See for more info. > To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org > " from the digest: users-digest-unsubscribe@httpd.apache.org > For additional commands, e-mail: users-help@httpd.apache.org > > > -- Serge Dubrouski. --0016e646921455086e04844a9e4d Content-Type: text/html; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable The window would pop-up if you had several certs installed in your browser = that could satisfy server's request. Since you have just one cert insta= lled browser sends it by default.

On Thu,= Apr 15, 2010 at 12:27 PM, <KennethYeung@infoimageinc.com> wrote:=

After I installed a certificate on= my browser (tested on both IE and Firefox), I was able to access the site with client authentication. =A0I was expecting my browser to pop up a dialog and ask me for a certificate. =A0However, it seems like the browser won't do so if I have no certificate installed on my browser. = =A0Anyway, thanks for your help.

Kenneth Yeung


Serge Dubrouski &= lt;sergeyfd@gmail.c= om>

04/15/2010 09:44 AM

Please respond t= o
users@httpd.apa= che.org
To
users@httpd.apache.org
cc
Subject
Re: [users@httpd] Re-negotiat= ion handshake failed





This message is = normal. It says that server expected user certificate
but it wasn't presented by browser.

On Tue, Apr 13, 2010 at 5:31 PM, =A0<KennethYeung@infoimageinc.com> wrote:
>
> Greeting!
>
> I'm having a problem on setting up client certificate on my test s= ite on
> Apache 2.2.15/OpenSSL 0.9.8m on Windows XP. =A0I followed the "Ho= w-To"
> articles on mod_ssl (http://httpd.apache.org/docs/2.2/ssl/ssl_h= owto.html).
> =A0When I browse the site, I got the following error message in the log:
>
> Re-negotiation handshake failed: Not accepted by client!?
>
> I read through the documentation. =A0I tried to turn SSLInsecureRenego= tiation
> on and off, but no luck. =A0I attached the configuration of my virtual host,
> hoping that you would point out anything that I've missed. =A0Oh, when I said
> that the site wasn't working, I was referring to my browser, which displays
> an error page with the code: ssl_error_handshake_failure_alert, instea= d of
> asking me for a certificate.
>
> Thanks,
>
> Kenneth Yeung
>
>
> <VirtualHost *:10991>
> =A0 =A0 ServerAdmin mysite@mycompany.com
> =A0 =A0 DocumentRoot "C:/hosts-static/mysite/ROOT"
> =A0 =A0 ServerName mysite.mycompany.com
> =A0 =A0 ErrorLog "C:/hosts-static/mysite/log/ROOT-error.log"=
> =A0 =A0 CustomLog "C:/hosts-static/mysite/log/ROOT-access.log&quo= t; common
>
> =A0 =A0 SSLEngine on
> =A0 =A0 SSLCipherSuite HIGH:MEDIUM
> =A0 =A0 SSLCertificateFile "C:/Apache2.2/conf/ssl.crt/mysite.crt&= quot;
> =A0 =A0 SSLCertificateKeyFile "C:/Apache2.2/conf/ssl.crt/mysite.k= ey"
>
> =A0 =A0 SSLInsecureRenegotiation on
>
> =A0 =A0 <Directory C:/hosts-static/mysite/ROOT>
> =A0 =A0 =A0 =A0 =A0 =A0 Order deny,allow
> =A0 =A0 =A0 =A0 =A0 =A0 Allow from all
>
> =A0 =A0 =A0 =A0 SSLVerifyClient require
> =A0 =A0 =A0 =A0 SSLVerifyDepth 1
> =A0 =A0 =A0 =A0 SSLCACertificateFile "C:/Apache2.2/conf/ssl.crt/s= elf_signed_ca.crt"
>
> =A0 =A0 </Directory>
>
> </VirtualHost>



--
Serge Dubrouski.

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.<= br> See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
=A0 " =A0 from the digest: users-digest-unsubscribe@httpd.apache.= org
For additional commands, e-mail: users-help@httpd.apache.org



--
Serge Dubrouski. --0016e646921455086e04844a9e4d--